Oracle PeopleSoft CVE-2026-35273: Critical RCE Flaw Emerges During ShinyHunters Attacks

Oracle PeopleSoft administrators have a new emergency issue to triage: Oracle published an out-of-band alert for CVE-2026-35273, a critical PeopleSoft PeopleTools vulnerability that is remotely exploitable without authentication and can lead to remote code execution.^[1] The timing matters because ShinyHunters-linked extortion activity is also being reported against cloud and on-premises PeopleSoft environments, with claims of data theft from more than 100 organizations.^[3]

The public record does not yet give defenders a clean, vendor-confirmed chain tying every reported PeopleSoft breach to CVE-2026-35273. That distinction is important. It does not make the response slower: Oracle says the flaw affects PeopleSoft Enterprise PeopleTools 8.61 and 8.62, sits in the Updates Environment Management component, uses HTTP as the attack protocol, and scores CVSS 9.8 critical with high confidentiality, integrity, and availability impact.^[1][2]

What PeopleSoft teams should check now

Start with exposure. Any internet-reachable PeopleSoft web tier deserves immediate priority, especially if it supports HR, payroll, finance, procurement, or student administration data. Oracle’s alert points customers to a support-only patch availability document and recommends immediate mitigation, while warning that unsupported older releases may also be affected even if they were not tested in the alert.^[1] If a patch or mitigation cannot be applied at once, reduce external reachability, restrict access through VPN or allowlists, and preserve logs before making disruptive containment changes.

Because this is a no-authentication network flaw, the first question is not whether an attacker has a PeopleSoft login. The first question is whether the relevant HTTP endpoint was reachable from an untrusted network. NVD’s record describes the bug as an easily exploitable missing-authentication issue that can result in takeover of PeopleSoft Enterprise PeopleTools.^[2] That is a different risk profile from low-privilege abuse or post-login workflow bugs.

The active-campaign reporting adds a second workstream: compromise review. BleepingComputer reported that ShinyHunters claimed access to about 300 PeopleSoft instances across more than 100 organizations, with education heavily represented, and published infrastructure clues including the IPs 142.11.200[.]186 through 142.11.200[.]190, 108.174.202[.]99, and 176.120.22[.]24.^[3] Treat those as starting points, not a complete detection list.

For triage, review web access logs, application server logs, administrative account use, new or changed SSH keys, unexpected MeshCentral or remote-management agents, suspicious changes around psappsrv.cfg, and any ransom-note or defacement artifacts on PeopleSoft web, app, and batch tiers. Help Net Security cited Mandiant CTO Charles Carmakal warning that the zero-day is being exploited in the wild, while also noting that Oracle had not confirmed active exploitation to the outlet at publication time.^[4] That is enough to justify incident-response handling rather than a routine patch queue.

PeopleSoft is not a niche target: it often concentrates employee, student, payroll, finance, and administrative records in one place. That makes it attractive for the same data-extortion economy seen in other enterprise incidents. HowToFix.guide recently covered a separate Oracle enterprise exposure in Oracle WebLogic CVE-2024-21182, the pressure tactics used by Silent Ransom Group against professional-services firms, and the operational fallout of support-flow abuse in the Meta AI Support account-takeover incident. The common lesson is simple: patch the exposed path, then verify whether data already left.

For organizations running affected PeopleTools builds, the practical order is: apply Oracle’s mitigation or patch through My Oracle Support, remove public exposure where possible, hunt for campaign infrastructure and abnormal PeopleSoft administration activity, reset credentials and keys that could have touched PeopleSoft hosts, and prepare breach-notification review if HR, payroll, student, or finance records were accessible.

References

1. Oracle. Oracle Security Alert Advisory – CVE-2026-35273. Initial release: June 10, 2026.
2. National Vulnerability Database. CVE-2026-35273 Detail. Published: June 11, 2026.
3. BleepingComputer. Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks. June 10, 2026.
4. Help Net Security. Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert. June 11, 2026.
5. TechCrunch. Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations. June 10, 2026.